“These spy apps should be out of market, most people spy on girls and [their] data image [...] always sensitive,” the hacker wrote in a message to an intermediary who then shared it with Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”

The targeted company is SpyHuman, an India-based firm which offers software to monitor Android devices. According to the company’s website, once installed on a device an attacker has physical access to, SpyHuman’s software can intercept phone calls and text messages, track GPS locations, read WhatsApp and Facebook messages, and remotely turn on the device’s microphone. All of the collected data is then presented in a dashboard for the user to view.

The stolen data itself includes the content of apparent text messages and call metadata—the phone number an infected device dialled or received a call from, and for how long and on what date—exfiltrated by SpyHuman’s malware. Motherboard obtained a sample of stolen data through the hacker’s intermediary, French security researcher Baptiste Robert.

Robert, who goes by the handle @fs0c131y, said he verified the vulnerability and that over 440,000,000 call details were available via the site.

The stolen data itself includes the content of apparent text messages and call metadata.

The intermediary also shared a video filmed by the hacker, in which they demonstrate how to exploit a basic security issue in the site to obtain the customer data. After logging in to SpyHuman—users can make a free account—the hacker shows an empty screen where SMS logs will appear once collected by the malware. Then, the hacker makes a particular change to the URL, revealing a stream of other user’s SMS messages.

“U at home or out,” one of the messages reads. “Can I call you later?” reads another. Some of the messages are in Hindi, and related searches to the company provided by Google include “spy human in hindi."

Motherboard did not find specific evidence of what sort of people the software was used to monitor, be those children, employees, or spouses.

Included in the video are two email addresses seemingly belonging to customers. To verify that this video was indeed filmed on the SpyHuman site, Motherboard attempted to sign up to SpyHuman’s site with those email addresses. This failed, because the email address had already been registered to SpyHuman.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In an email SpyHuman confirmed the stolen data belonged to its site.

“We deeply care about our customers and the privacy of our customers' data. After your email, we immediately took actions to secure our system,” the company wrote.

As for curbing abuse of its product, Spy Human wrote that “As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.” However, someone intending to spy on their partner or spouse could theoretically just select the option to hide the software on the target device.

In February, another hacker provided Motherboard with data from Mobistealth and Spy Master Pro, two other companies in the same industry. Some of Mobistealth’s customers included employees from the FBI, ICE, and the DHS.

Update: This piece has been updated to include extra information from Baptiste Robert.